'Ipv6 Filtering strange problem'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Ipv6 Filtering strange problem
From:       "PradeepReddy, Maram" <PradeepReddy.Maram () siemens ! com>
Date:       2006-02-10 17:41:50
Message-ID: 6C11F971A507DF4B951EA4153880BDFA045FB787 () inblrm999msx ! in002 ! siemens ! net
[Download RAW message or body]

Hello 

             I would like to thank Mr  Laxman Amruth for help and
analysing IPv6 filtering along with me.

Little bit progress in configuring IPFilter for IPv6 Filtering.  I was
able to view IPv6 stats in "ipfstat" ouput .

We have to insert "pfil" module on Network Interface with "inet6" option
also.

Something like      #ifconfig ce3 inet6 modinsert pfil@1[ immedietly
after "ip" stream]

As soon as pfil module inserted the complete packtes passing through
that Network Interface getting blocked.

We suspect problem with IPv6 packet matching ..

"ipfstat" output showing like below ..

root@sf44ce22> ipfstat 
bad packets:            in 0    out 0
 IPv6 packets:          in 13829 out 6769
 input packets:         blocked 0 passed 13829 nomatch 1 counted 0 short
0
output packets:         blocked 0 passed 6769 nomatch 0 counted 0 short
0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  5       (out):  0
IN Pullups succeeded:   0       failed: 13823
OUT Pullups succeeded:  0       failed: 6769
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      7377
Packet log flags set: (0)
        none
------------------------------------------------------------------------
----------------------------------------
root@sf44ce22> ipfstat -6hio
empty list for ipfilter(out)
0 block in log on ce3 proto tcp from any to 2106:22:188:252:0:66:1:4/64
port = ssh
------------------------------------------------------------------------
-------------------------------------------

root@sf44ce22>  ndd /dev/pfil pfil_inet6
in
function        flags
7847a0e8        3
out
function        flags
7847a0e8        3

root@sf44ce22>  ndd /dev/pfil qif_status
ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip
nodata notdata
ce3 0x3000393f940 0x300296aa298 0x300296aa388 0x0 14 86dd 14 14865 7328
0 0 0 0 0 0 0
QIF2 0x0 0x3002965eb48 0x3002965ec38 0x0 2 8035 0 0 0 0 0 0 0 0 0 0
QIF1 0x0 0x30008cea820 0x30008cea910 0x0 1 806 0 2 13 0 0 0 0 0 0 0
root@sf44ce22> 

Best Regards
Pradeep Reddy 


[Attachment #3 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>Ipv6 Filtering strange problem </TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=2 FACE="Arial">Hello </FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
I would like to thank Mr&nbsp; Laxman Amruth for help and&nbsp; analysing IPv6 \
filtering along with me.</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">Little bit progress in configuring IPFilter for IPv6 \
Filtering.&nbsp; I was able to view IPv6 stats in &quot;ipfstat&quot; ouput .</FONT> \
</P>

<P><FONT SIZE=2 FACE="Arial">We have to insert &quot;pfil&quot; module on Network \
Interface with &quot;inet6&quot; option also.</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">Something like&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #ifconfig \
ce3 inet6 modinsert pfil@1[ immedietly after &quot;ip&quot; stream]</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">As soon as pfil module inserted the complete packtes \
passing through that Network Interface getting blocked.</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">We suspect problem with IPv6 packet matching ..</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">&quot;ipfstat&quot; output showing like below ..</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">root@sf44ce22&gt; ipfstat </FONT>

<BR><FONT SIZE=2 FACE="Arial">bad \
packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; in \
0&nbsp;&nbsp;&nbsp; out 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">&nbsp;IPv6 \
packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; in 13829 out \
6769</FONT>

<BR><FONT SIZE=2 FACE="Arial">&nbsp;input \
packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; blocked 0 passed 13829 \
nomatch 1 counted 0 short 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">output \
packets:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; blocked 0 passed 6769 \
nomatch 0 counted 0 short 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">&nbsp;input packets logged:&nbsp; blocked 0 passed \
0</FONT>

<BR><FONT SIZE=2 FACE="Arial">output packets logged:&nbsp; blocked 0 passed 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">&nbsp;packets \
logged:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; input 0 output 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">&nbsp;log \
failures:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; input 0 output \
0</FONT>

<BR><FONT SIZE=2 FACE="Arial">fragment state(in):&nbsp;&nbsp;&nbsp;&nbsp; kept \
0&nbsp; lost 0&nbsp; not fragmented 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">fragment state(out):&nbsp;&nbsp;&nbsp; kept 0&nbsp; \
lost 0&nbsp; not fragmented 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">packet state(in):&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
kept 0&nbsp; lost 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">packet state(out):&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; kept \
0&nbsp; lost 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">ICMP replies:&nbsp;&nbsp; \
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TCP RSTs sent:&nbsp; 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">Invalid source(in):&nbsp;&nbsp;&nbsp;&nbsp; 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">Result cache hits(in):&nbsp; \
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (out):&nbsp; 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">IN Pullups succeeded:&nbsp;&nbsp; \
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; failed: 13823</FONT>

<BR><FONT SIZE=2 FACE="Arial">OUT Pullups succeeded:&nbsp; \
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; failed: 6769</FONT>

<BR><FONT SIZE=2 FACE="Arial">Fastroute successes:&nbsp;&nbsp;&nbsp; \
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; failures:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
0</FONT>

<BR><FONT SIZE=2 FACE="Arial">TCP cksum fails(in):&nbsp;&nbsp;&nbsp; \
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (out):&nbsp; 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">IPF Ticks:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7377</FONT>

<BR><FONT SIZE=2 FACE="Arial">Packet log flags set: (0)</FONT>

<BR><FONT SIZE=2 FACE="Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; none</FONT>

<BR><FONT SIZE=2 FACE="Arial">----------------------------------------------------------------------------------------------------------------</FONT>


<BR><FONT SIZE=2 FACE="Arial">root@sf44ce22&gt; ipfstat -6hio</FONT>

<BR><FONT SIZE=2 FACE="Arial">empty list for ipfilter(out)</FONT>

<BR><FONT SIZE=2 FACE="Arial">0 block in log on ce3 proto tcp from any to \
2106:22:188:252:0:66:1:4/64 port = ssh</FONT>

<BR><FONT SIZE=2 FACE="Arial">-------------------------------------------------------------------------------------------------------------------</FONT>
 </P>

<P><FONT SIZE=2 FACE="Arial">root@sf44ce22&gt;&nbsp; ndd /dev/pfil pfil_inet6</FONT>

<BR><FONT SIZE=2 FACE="Arial">in</FONT>

<BR><FONT SIZE=2 FACE="Arial">function&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
flags</FONT>

<BR><FONT SIZE=2 FACE="Arial">7847a0e8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
3</FONT>

<BR><FONT SIZE=2 FACE="Arial">out</FONT>

<BR><FONT SIZE=2 FACE="Arial">function&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
flags</FONT>

<BR><FONT SIZE=2 FACE="Arial">7847a0e8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
3</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">root@sf44ce22&gt;&nbsp; ndd /dev/pfil qif_status</FONT>

<BR><FONT SIZE=2 FACE="Arial">ifname ill q OTHERQ ipmp num sap hl nr nw bad copy \
copyfail drop notip nodata notdata</FONT>

<BR><FONT SIZE=2 FACE="Arial">ce3 0x3000393f940 0x300296aa298 0x300296aa388 0x0 14 \
86dd 14 14865 7328 0 0 0 0 0 0 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">QIF2 0x0 0x3002965eb48 0x3002965ec38 0x0 2 8035 0 0 0 0 \
0 0 0 0 0 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">QIF1 0x0 0x30008cea820 0x30008cea910 0x0 1 806 0 2 13 0 \
0 0 0 0 0 0</FONT>

<BR><FONT SIZE=2 FACE="Arial">root@sf44ce22&gt; </FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">Best Regards</FONT>

<BR><FONT SIZE=2 FACE="Arial">Pradeep Reddy </FONT>
</P>

</BODY>
</HTML>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic